OCR Director Says “Increased HIPAA Enforcement To Come”

When Office for Civil Rights Director Leon Rodgriguez took the stage on Monday, September 23rd to talk HIPAA at the HIMSS Media and Healthcare IT News Privacy and Security Forum, the timing was perfect.

With the HIPAA Omnibus Final Rule taking effect Sept. 23, Rodgriguez talked to the increased enforcement to come, the importance of properly safeguarding patient privacy and the what-not-to-dos, or the breach blunders, that have resulted in hefty monetary penalties for some groups who failed to take patient privacy and security seriously.

“Today is a critical day for the Omnibus,” said Rodriguez, who explained that the agency is working to strike a balance between effective enforcement and clearly communicating what all the rules are surrounding patient privacy and security.

Rodriguez pointed out that for 10 years of his life, he represented covered entities, which has really helped him take a balanced approach to enforcement.

“On the one hand you do have to have assertive enforcement; you have to have credible enforcement, that really does play a critical role in obtaining compliance,” he said. “But at the same time you have to set rules of the road that are understandable and consistent, and you really need to make sure people know what the rules of the road are.”

Rodriguez explained the three types of cases the OCR receives and subsequently investigates. The first, he says, are cases involving major security failures, or the “records in the dumpster” types of breaches. What one of his former colleagues described as the “breach porn,” these cases typically end up on the front page in media outlets.

The second area involves egregious, borderline intentional violations. Case in point, the UCLA case where Farrah Fawcett’s information on her cancer treatment was disclosed and eventually “exposed a series of systemic failures at UCLA.”

The area of access is the third category, Rodriguez says, who cited the Cignet Health case as an example. Although there was no reported breach, Cignet Health refused to grant patients access to their medical records when asked by patients. Following an investigation by OCR, the organization also refused to cooperate with OCR officials. Eventually, they were slapped with a $4.3 million fine.

Of the some 80,000 HIPAA breach cases OCR has received since 2003, only 16 of those have resulted in fines, Rodriguez pointed out in an August interview.

“It’s a relatively small part of what we do here,” he said. Most cases OCR handles involve corrective action rather than monetary fines.

Ultimately, “It is the patient’s interests that really define what are going to be our enforcement priorities, what are going to be the judgments we make,” said Rodriguez.